Here is a new demonstration of Azure Sentinel Threat Intelligence to walk you through how it is enriching and creating new alerts within your Sentinel environment.

Threat Intelligent feeds create alerts Azure Demo Banner play


Hello everyone, welcome to another Azure Sentinel demonstration. So, today what we’re going to do is a quick demo on Threat Intelligence and how it creates alerts from any of the threat intelligence indicators that have been imported.

What we’ve done so far is I’ve got my threat intelligence feed here, so this one is the IP address of a user, and so we’re going to be using a VPN to log into one of my accounts. And we will actually get an alert. So the first thing that we need to do is, we’ve already got our third intelligence indicator set up here, so there’s a couple of different ways that we can get those in. You can add them manually on the side there, or you can add through files from threat indicators, or you’re able to use data connectors like Taxii.

So we’ve got our threat intelligence indicator logged in there, and what we’re going to have to do is make sure that our Azure Sentinel is creating alerts when it is seeing these threat intelligence indicators. What we first want to do is head to our data connectors so this one is going to be an IP address logging in and it’s going to create an alert when someone logs in from that IP. So we’re just going to have to go to Active Directory, open up the connector page and, head over to the next steps. I’ve already created the alert rule. But basically, we were able to come to look over here, so these are the TI MAP email entity, TI MAP URL entity and, TI map IP entity. When we see this IP through threat intelligence, it’s going to create an alert for us. So as you see, I already have it in use, but to add that in all we do is create the rule and follow the same steps that we would when creating a regular analytic rule. What we’re going to do right now is I’m going to quickly log in and then we’re going to be able to see in a few minutes the alert happening. I’m just going to log in here and open up the Microsoft Authenticator app.

Alright. Now that we’ve logged into a Microsoft account that is Azure Active Directory domain linked, we’re just going to wait a few minutes for the analytic rule to run, and then we’ll be able to see that alert.

So once we head back into our Azure Sentinel and we take a look at our incidents, we can see here that threat intelligence has mapped an IP to our sign-in logs and has created an

alert for us. So what we can do here is check out and investigate what’s occurring. We can see the IP address. We can see the user, which is me, and we can see all the other related alerts. So these have been the other times that I’ve been signing in from

that malicious IP. What we can do is to go back into our threat intelligence. This is the IP that we had and so we can open up our threat intelligence workbook. What this does is it shows us the type of indicators that have been imported into Sentinel.

And then if we go down, it shows us the alert counts by the type of indicator. So these have been a couple of the tests that I’ve been doing, but it shows the number of alerts that we have and it shows the average detection time by the source. And it’s pretty awesome. It shows and gives you a little bit more insight into how threat intelligence is acting within your Azure Sentinel environment and how it’s creating those incidents.

Thanks so much for watching this demo today, guys. I hope you learned a little bit about threat intelligence and how it is enriching and creating new alerts within your Sentinel environment.


Written By:

Brendan Timm

Brendan is a Business Technology and Azure Consultant at Softlanding. He has proven expertise in cloud computing, cloud security, automation, and consulting.

More By This Author